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In this paper, we propose a cache architecture, called SCache, to detect buffer-overflow 
attacks at run time. Furthermore, the energy-security efficiency of SCache is discussed. 
SCache generates replica cache lines on each return-address store, and compares the 
original value loaded from the memory stack to the replica one on the corresponding 
return-address load. The number and the placement policy of the replica line strongly 
affect both energy and vulnerability. In our evaluation, it i ... 
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Electronic computers have evolved from exiguous experimental enterprises in the 1940s 
to prolific practical data processing systems in the 1980s. As we have come to rely on 
these systems to process and store data, we have also come to wonder about their ability 
to protect valuable data. 

Data security is the science and study of methods of protecting data in computer and 
communication systems from unauthorized disclosure ... 
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This paper presents DOME, a host-based technique for detecting several general classes 
of malicious code in software executables. DOME uses static analysis to identify the 
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locations (virtual addresses) of system calls within the software executables, and then 
monitors the executables at runtime to verify that every observed system call is made 
from a location identified using static analysis. The power of this technique is that it is 
simple, practical, applicable to real-world software, and high ... 

Keywords: anomaly detection, code analysis, dynamic analysis, execution monitoring, 
intrusion detection, malicious code detection, static analysis, system calls 
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Although many defense mechanisms against buffer overflow attacks have been proposed, 
buffer overflow vulnerability in software is still one of the most prevalent vulnerabilities 
exploited. This paper proposes a micro-architecture based defense mechanism against 
buffer overflow attacks. As buffer overflow attack leads to a compromised return address, 
our approach is to provide a software transparent micro-architectural support for return 
address integrity checking. By keeping an uncompromised cop ... 

Keywords: buffer overflow, computer architecture, computer security, intrusion tolerance 
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Stack-smashing by buffer overflow is a common tactic used by viruses and worms to 
crash or hijack systems. Exploiting a bounds-unchecked copy into a stack buffer, an 
attacker can— -by supplying a specially-crafted and unexpectedly long input— overwrite a 
stored return address and trigger the execution of code of her choosing. In this paper, we 
propose to protect code from this common form of attack using dynamic instruction 
stream editing (DISE), a previously proposed hardware mechanism that im ... 
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Malware -- a generic term that encompasses viruses, trojans, spywares and other 
intrusive code — is widespread today. Malware analysis is a multi-step process providing 
insight into malware structure and functionality, facilitating the development of an 
antidote. Behavior monitoring, an important step in the analysis process, is used to 
observe malware interaction with respect to the system and is achieved by employing 
dynamic coarse-grained binary-instrumentation on the target system. However, ... 

Keywords: instrumentation, malware, security 
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April 2004 Proceedings of the 42nd annual Southeast regional conference ACM-SE 42 
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Full text available:^ pdf(276.25 KB) Additional Information: full citation , abstract , references , citings 

Most of today's computers are connected to the Internet or at least to a local network, 
exposing system vulnerabilities to the potential attackers. One of the attackers' goals is 
the execution of the unauthorized code. In this paper we propose a framework that will 
allow execution of the trusted code only and prevent malicious code from executing. The 
proposed framework relies on the run-time verification of basic block signatures. The 
basic block signatures are generated during a trusted instal ... 

Keywords: computer security, intrusion detection, trusted execution 
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Through the design and implementation of a JVM that supports Pluggable Verification 
Modules (PVMs), the idea of an extensible protection mechanism is entertained. Link-time 
bytecode verification becomes a pluggable service that can be readily replaced, 
reconfigured and. augmented. Application-specific verification services can be safely 
introduced into the dynamic linking process of the JVM. This feature is enabled by the 
adoption of a previously proposed modular verification architecture, Pro ... 

Keywords: Aegis VM, Java virtual machine, bytecode verification, extensible protection 
mechanism, extensible systems, mobile code security, pluggable verification modules, 
proof linking 
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t erms 

The increasing monoculture in operating systems and key applications and the enormous 
expense of N-version programming for custom applications mean that lack of diversity is 
a fundamental barrier to achieving survivability even for high value systems that can 
afford hot spares. This monoculture makes flash worms possible. Our analysis of 
vulnerabilities and exploits identifies key assumptions required to develop successful 
attacks. We review the literature on synthetic diversity techniques, f ... 

Keywords: diversity, n-version programming, vulnerability 
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A dynamic binary translator is a just-in-time compiler that translates source architecture 
binaries into target architecture binaries on the fly. It enables the fast running of the 
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source architecture binaries on the target architecture. Traditional dynamic binary 
translators invalidate their translations when a module is unloaded, so later re-loading of 
the same module will lead to a full retranslation. Moreover, most of the loading and 
unloading are performed on a few "hot" modules, which caus ... 

Keywords: dynamic binary translation, dynamic loaded module, memory management, 
translation reuse 
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Computer security becomes increasingly important with continual growth of the number of 
interconnected computing platforms. Moreover, as capabilities of embedded processors 
increase, the applications running on these systems also grow in size and complexity, and 
so does the number of security vulnerabilities. Attacks that impair code integrity by 
injecting and executing malicious code are one of the major security issues. This problem 
can be addressed at different levels, from more secure softwa ... 

Keywords: attacks, code injection, code integrity 
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The equivalence problem for deterministic real-time pushdown automata is shown to be 
decidable. This result is obtained by showing that Valiant's parallel stacking technique 
using a replacement function introduced in this paper succeeds for deterministic real-time 
pushdown automata. Equivalence is also decidable for two deterministic pushdown 
automata, one of which is real-time. 
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Worm containment must be automatic because worms can spread too fast for humans to 
respond. Recent work has proposed network-level techniques to automate worm 
containment; these techniques have limitations because there is no information about the 
vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end- 
to-end approach to contain worms automatically that addresses these limitations. 
Vigilante relies on collaborative worm detection at end hosts, but does not requir ... 

Keywords: control flow analysis, data flow analysis, self-certifying alerts, worm 
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In most modern operating systems, a process is a hardware -protected abstraction for 
isolating code and data. This protection, however, is selective. Many common 
mechanisms— dynamic code loading, run-time code generation, shared memory, and 
intrusive system APIs— make the barrier between processes very permeable. This paper 
argues that this traditional open process architecture exacerbates the dependability and 
security weaknesses of modern systems. 

As a remedy, this paper prop ... 

Keywords: open process architecture, sealed kernel, sealed process architecture, 
software isolated process (SIP) 
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Component-based programming is an increasingly prevalent theme in software 
development, motivating the need for expressive and safe module interconnection 
languages. Dynamic linking is an important requirement for module interconnection 
languages, as exemplified by dynamic link libraries (DLLs) and class loaders in operating 
systems and Java, respectively. A semantics is given for a type-safe module 
interconnection language that supports shared libraries and dynamic linking, as well as 
circular ... 

Keywords: Dynamic Linking, Module Interconnection Languages, Recursive Modules, 
Shared Libraries 
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We describe an anomaly intrusion-detection system for platforms that incorporate 
dynamic compilation and profiling. We call this approach "dynamic sandboxing." By 
gathering information about applications' behavior usually unavailable to other anomaly 
intrusion-detection systems, dynamic sandboxing is able to detect anomalies at the 
application layer. We show our implementation in a Java Virtual Machine is both effective 
and efficient at stopping a backdoor and a virus, and has a low false positi ... 

Keywords: Java, anomaly detection, dynamic sandboxing 
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Since the summer of 1973, when I became a Burroughs Research Fellow, my life has 
been very different from what it had been before. The daily routine changed: instead of 
going to the University each day, where I used to spend most of my time in the company 
of others, I now went there only one day a week and was most of the time that is, when 
not travelling!— alone in my study. In my solitude, mail and the written word in general 
became more and more important. The circumstance that my employe ... 
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Software deployment is a complex process, and industrial-strength frameworks such 
as .NET, Java, and CORBA all provide explicit support for component deployment. 
However, these frameworks are not built around fundamental principles as much as they 
are engineering efforts closely tied to particulars of the respective systems. Here we aim 
to elucidate the fundamental principles of software deployment, in a platform-independent 
manner. Issues that need to be addressed include deployment unit design ... 
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With more computing platforms connected to the Internet each day, computer system 
security has become a critical issue. One of the major security problems is execution of 
malicious injected code. In this paper we propose new processor extensions that allow 
execution of trusted instructions only. The proposed extensions verify instruction block 
signatures in run-time. Signatures are generated during a trusted installation process, 
using a multiple input signature register (MISR), and stored in an ... 
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We present the first shape analysis for multithreaded programs that avoids the explicit 
enumeration of execution-interleavings. Our approach is to automatically infer a resource 
invariant associated with each lock that describes the part of the heap protected by the 
lock. This allows us to use a sequential shape analysis on each thread. We show that 
resource invariants of a certain class can be characterized as least fixed points and 
computed via repeated applications of shape analysis only o ... 

Keywords: abstract interpretation, concurrent programming, shape analysis, static 
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